Description

In Development IL ecdh before 0.2.0, an attacker can send an invalid point (not on the curve) as the public key, and obtain the derived shared secret.

Remediation

References

https://github.com/developmentil/ecdh/issues/3

Related Vulnerabilities

CVE-2020-28494 Vulnerability in npm package total.js

CVE-2021-32828 Vulnerability in maven package org.nuxeo.ecm.platform:nuxeo-platform-oauth

CVE-2020-36377 Vulnerability in npm package aaptjs

CVE-2019-16303 Vulnerability in npm package generator-jhipster

CVE-2022-40929 Vulnerability in maven package com.xuxueli:xxl-job-core

Severity

High

Classification

CWE-668 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Issue Tracking